Malware writers often use the same malware names to trick users. Educated cyber security professionals can usually identify these bogus malware names, but without some experience, it may be challenging.
As an example, consider this sample Security+ practice test question that was recently added to the Extras quiz for the online SY0-501 practice test questions.
Q. You are troubleshooting a computer that is displaying erratic behavior. You suspect that malicious software was installed when the user downloaded and installed a free software application. You want to identify the name of the malware and you run the following netstat command from the command prompt:
C:\WINDOWS\system32>netstat -nab > netstat.txt
After opening the text file you see the following information.
Based on the output, what type of malware was most likely installed on the user’s computer?
A. Worm
B. Logic bomb
C. Ransomware
D. RAT
E. Crypto-malware
F. No malware is indicated
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Netstat and Malware Names
The netstat command (short for network statistics) allows you to view statistics for TCP/IP protocols on a system. It also gives you the ability to view active TCP/IP network connections. Many attacks establish connections from an infected computer to a remote computer. If you suspect this, you can often identify these connections with netstat.
In the sample question, netstat is using the following three switches:
- -n Displays addresses and port numbers in numerical form.
- -a Displays all connections and listening ports.
- -b Displays the executable involved in creating each connection or listening port.
The -b switch is key here because it identifies the names of the executables that created the connection. The graphic shows the following names:
- RpcSs [svchost.exe]
- [chrome.exe]
- winserver.exe
- SSDPSRV [svchost.exe]
- Can not obtain ownership information
Valid Executable Names and Malware Names
From a simpler perspective, the question is asking you which of these executables is NOT valid.
svchost.exe
The svchost.exe executable is a system process used to host multiple instances of Windows Services at a time. It is valid and is shown in brackets [svchost.exe] after the service it is starting, such as RpcSs [svchost.exe].
The valid version is located in the c:\Windows\system32\ folder as svchost.exe.
The valid version of svchost.exe will only launch valid services.
Warning: Malware writers have often named malware as svchost.exe and located it in other folders. If the malware version is running, it will typically be listed in the netstat results as svchost.exe or [svchost.exe] but without a matching service.
RpcSs
The RpcSs (Remote Procedure Call Start/Stop) is used to support Component Object Model (COM) and Distributed COM (DCOM) technologies. Many Microsoft applications use it to call reusable code.
The valid version is located in the c:\windows\system32 folder as rpcss.dll.
Warning: Malware writers have often named malware as rpcss.exe and located it in other folders. If the malware version is running, it will typically be listed in the netstat results as rpcss.exe or [rpcss.exe], but without [svchost] launching it.
Chrome
The entry showing [chrome.exe] indicates that the Google Chrome browser is running. It is valid.
SSDPSRV
The Simple Service Discovery Protocol Service (SSDPSRV) is valid. It is used in Windows systems to discover networked devices and services that use the Simple Service Discovery Protocol (SSDP).
The valid version is located in the c:\windows\system32 folder as ssdpsrv.dll.
Warning: Malware writers have often named malware as ssdpsrv.dll and located it in other folders. These won’t pass system checks and cannot be started with the valid version of svchost.
Winserver.exe
Winserver.exe is a very old file used in Windows systems, but it hasn’t been used in Windows XP, Windows 7, Windows Vista, or Windows 10.
Trojan malware has adopted the name (winserver.exe) because it looks legitimate. It tries to terminate antivirus programs, monitor the user’s Internet activity, gather private information, and send the data to the attacker. Some versions of this Trojan allow the attack to remotely access the infected computer to collect and steal passwords.
Q. You are troubleshooting a computer that is displaying erratic behavior. You suspect that malicious software was installed when the user downloaded and installed a free software application. You want to identify the name of the malware and you run the following netstat command from the command prompt:
C:\WINDOWS\system32>netstat -nab > netstat.txt
After opening the text file you see the following information.
Based on the output, what type of malware was most likely installed on the user’s computer?
A. Worm
B. Logic bomb
C. Ransomware
D. RAT
E. Crypto-malware
F. No malware is indicated
Answer is D. The winserver.exe file is a remote access Trojan (RAT). All of the other executable names displayed by netstat are valid.
A worm is self-replicating malware that travels throughout a network without the assistance of a host application or user interaction.
A logic bomb is a string of code embedded into an application or script that will execute in response to an event.
Ransomware is a specific type of Trojan that typically encrypts the user’s data until the user pays a ransom.
Ransomware that encrypts data is often called crypto-malware.
Because winserver.exe is known malware, the netstat output does indicate malware is running.
See Chapter 6 of the CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide for more information on malware.
Thanks – this was helpful. I saw that the RAT sends login details to attackers for control of the computers – I was not initially seeing what hint was the indicator until your post about winserver. Appreciate it.